In software application environments users typically rely on software applications to prevent unauthorized access to files of stored data through the use of user names and passwords. A software application may protect the data by relying on a data storage system that in turn requires authentication via user name and password. Often, user passwords are the only commercially viable means to protect such data. To prevent memorizing multiple passwords, users also may reuse passwords for various applications and systems. In some cases, a user may have a global password for all their applications and services requiring one. And in some cases, software applications may not maintain distinct users and passwords for the data storage system and instead rely on a global user name and password to protect the data by providing an application identifier as user name and a fixed password to the data storage system. However, the use of a global user name and password on the data storage opens up the possibility of systemic attack against the database. On the contrary, having no global database password provides increased security but presents a challenge to data recovery.
From time to time, users may want to recover various data from their files, creating a need for data recovery engineers to access user information stored in a database. In such situations, a user may tell a data recovery engineer the user's user name and password so that the user's files may be accessed. However, giving this password to the data recovery engineer presents a security issue because it lets the data recovery engineer assume the identity of that user not only for the file to be recovered but also for any other services or software applications for which that user and password are valid. Even if data recovery engineers' access is restricted, such direct access to the user's file provides an opportunity for engineers to look for ways to change their access by taking advantage of code defects in the data storage system. In addition, the data that users often want to recover is a forgotten password. In this case, the user would have no way to provide the data recovery engineer access to the user files through the above method to perform data recovery.
Another approach to data recovery engineer access is through the use of public key encryption. In this example, the user password is initially encrypted with the software vendor's public key. The data recovery engineer would then use the software vendor's private key to decrypt the data and access the user's file to perform data recovery. In addition to identify fraud issues mentioned above, providing data recovery engineers the private key exposes the private key, raising other potential systemic security failure modes. In addition, this approach still exposes the entire database to the data recovery engineer, thereby compromising the privacy of the user's information.
The industry standard for data storage is a relational database operating on an open database connectivity (ODBC) model. However, the use of a database server that listens on an open TCP port reduces the security of user files by providing an opportunity for remote anonymous attackers to access or damage user data within files.
Accordingly, there is a need to provide a system and method for recovery of secure user file data that allows data recovery engineers access to user files on the database without an open connection and without exposing either the user's password or the software vendor's private key.